Intrusion Detection for Smart Grid Components by Leveraging of Real-Time Properties
This activity tackled the problem of detecting intrusions in control systems with real-time properties. Most components that require a safety-critical model of operation fall under this category. The main technique is to perform behavioral analysis of such systems in order to find anomalies with respect to attributes such as execution time, memory, and and other system behavior (e.g. usage of system calls). Complementary to traditional cyber security technologies that aim to prevent intrusions, our work focused on survivability: the ability to continue operating safely even if intruders succeed in penetrating a system. Furthermore, an intruder’s act of performing unsafe operations or modifying the existing data acquisition and/or control software will lead to detection and removal using our techniques.
Our detection approach was coupled with the development of architectures that maintain the safety of the overall safety-critical system, even if an attacker is able to intrude successfully into the system. Specifically, we developed behavioral models of real-time control systems used in the smart grid and used those models along with trusted hardware modules to monitor components for deviations from expected behavior. When intrusions are detected, our approach transfers control away from the main controller to the trusted hardware module; the main controller will be either shut down gracefully or analyzed by engineers. Either way, the physical control system will not be harmed. The trusted hardware module could either be one of the cores in a multicore system (we called this framework, “SecureCore”), a separate FPGA module or even software components.
The overall solution is applicable at the individual node level, where we monitor cyber properties such as execution time, control flow, memory traffic and system behavior using a trusted platform. Our methods increase the security of individual computational nodes in real-time control systems (such as those found in the power grid) and give those nodes the ability to detect and recover from failures due to malicious activity.